This article explains how the IPS security service in the Cato Cloud security stack protects your network from malware attacks using Cobalt Strike.
Cobalt Strike is a well-known adversary simulation tool used by both threat actors and security professionals for various purposes. In this article, we outline techniques that the Cato Cloud employs to protect against attacks based on the malicious use of Cobalt Strike.
This section describes techniques used by the IPS service to identify and defend against Cobalt Strike attacks.
Cobalt Strike often leverages PowerShell for downloading malware onto a system. To counter this, the IPS engine is configured to block any suspicious PowerShell activities associated with Cobalt Strike, thereby preventing the introduction of malicious payloads.
Cobalt Strike uses distinct HTTP identifiers for communication with its Command and Control (C2) servers. Cato's IPS identifies and blocks these unique identifiers, rendering the C2 communication ineffective and protecting your network from potential threats.
Cobalt Strike offers options for privilege escalation, which can be exploited by attackers. To mitigate this risk, IPS actively blocks any attempt by the C2 server to execute privilege escalation on target systems, thus preventing unauthorized access to higher-level privileges.
Cobalt Strike relies on predefined post-exploitation commands to control compromised systems. IPS detects and blocks the execution of these commands issued by the C2 server, ensuring that any attempts to manipulate the compromised host are thwarted.
Cobalt Strike employs various techniques and tools for lateral movement within a network, including PSexec, SSH, SMB, and WinRM. To counteract these tactics, IPS together with Suspicious Activity Monitoring (SAM) can efficiently detect and block these protocols and techniques. This prevents the lateral spread of the threat within your network.
Cobalt Strike often employs Malleable C2 profiles to mimic popular services, such as Gmail, Bing, and Pandora, in an attempt to evade detection. To counter this sophisticated evasion technique, IPS employs detection methods specifically designed to identify and block Cobalt Strike's use of Malleable C2 profiles. This proactive measure ensures that even attempts to disguise malicious traffic as benign services are effectively intercepted, enhancing your network's security.